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AMENDMENTS TO THE CLAIMS 

\ : 1. (Currently Amended) A memoiy management unit for managing a memory storing data 
arranged within a plurality of memory pages, the memory management unit comprising: 

Bv 

a security check unit coupled to receive a physical address generated during 
execution of a current instruction, wherein the physical address resides within a selected 
memory page, and wherein the security check luiit is configured to use the physical 
address to access at least one security attribute data structure located in the memory to 
obtain a security attribute of the selected memory page, to compare a numorical value 
infonnation conveyed by a security attribute of the current instruction to a numerical 
value information conveyed by the security attribute of the selected memory page, and to 
produce an output signal dependent upon a result of the comparison; and 
wherein the memory management unit Is configured to access the selected memoiy page 
dependent upon the output signal. 

2, (Original) The memory management unit as recited in claim 1, wherein the at least one 
security attribute data structure comprises a security attribute table directory and at least one 
security attribute table. 

3. (Original) The memory management unit as recited in claim 2, wherein the security 
attribute table directory comprises a plurality of entries, and where each entry of the security 
attribute table directory includes a present bit and a security attribute table base address field, and 
wherein the present bit indicates whether or not a security attribute table corresponding to the 



Scria!No, 10/010.569 



2 



PAGE 4/20' RCVD AT 3/16120044:36:19 PM [Eastern Standard ^^^^^^ 



03/16/2004 16:32 WMA 17038729306 NO. 303 [P05 



$eci.mty attribute table directory entry is present in the memory, and wherein the seciirity 
attribute table base address field is reserved for a base address of the security attribute table 
corresponding to the security attribute table directory entry. 



4. (Original) The memory management unit as recited in claim 2, wherein the at least one 
security attribute table comprises a plurality of entries, and where each entry of the security 
attribute table mcludes a security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation of 
an SCID value, and wherein the SCID value is an integer value greater than or equal to 0, and 
wherein the SCID value indicates a security context level of a corresponding memoiy page. 

5. (Original) The memory management unit as recited in claim 1, wherein the security 
attribute of the selected memory page comprises a security context identification (SCID) value, 
and wherein the SCID value is an integer value greater than or equal to 0 and indicates a security 
context level of the selected memory page. 

6. (Original) The memory management unit as recited in claim 1, wherein the security 
attribute of the current instruction comprises a security context identification (SCID) value, and 
wherein the SCID value is an integer value greater than or equal to 0 and indicates a security 
context level of a memoiy p^e containing the current instruction. 
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7. (Original) The memory management unit as recited in claim 1, wherein the security 
check logic is configured to obtain the security anribute of the current instruction from the at 
least one security attribute data structure. 

8. (Original) The memory management unit as recited in claim 1, wherein the ouQ)ut signal 
is a fault signal. 

9. (Currently Amended) The memory management unit as recited in claim 1, wherein the 
security check imit is configured to receive a set of security attributes of the selected memory 
page in addition to the security atttibute of selected memory page, and to produce the output 
signal dependent upon: (i) the result of the comparison of the information numerical valuo 
conveyed by the secuilty attribute of tlie current instruction to the information numerical valuo 
conveyed by the security attribute of selected memory page, and (ii) the set of security attributes 
of the selected memory page* 

1 0. (Original) The memory management unit as recited in claim 9, wherein the set of security 
attributes of the selected memory page comprise a user/supervisor (U/S) bit and a read/write 
(RAV) bit as defined by the x86 processor architecture, and wherein U/S=0 indicates the selected 
memory page is an operating system memory page and corresponds to a supervisor level of the 
operating system, and wherein U/S=l indicates tlie selected memory page is a user memory page 
and corresponds to a user level of the operating system, and wherein R/W-0 indicates only read 
accesses are allowed to the selected memory page, and wherein R/W=l indicates that both read 
and write accesses are allowed to the selected memory page. 
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1 1 , (Currently Amended) A central processing unit, comprising: 

an execution unit opembly coxipled to a memory, wherein the execution unit is configured 
to fetch instructions from the memory and to execute tlie instructions; and 

a memory management unit (MMU) operably coupled to the memory and configured to 
manage the memory, wherein the MMU is configurable to manage the memory such that the 
memory stores data arranged within a plwality of memoiy pages, and wherein the MMU 
comprises: 

a security check unit coupled to receive a physical address generated by the 
execution unit during execution of a current instruction, wherein the physical address 
resides within a selected memory page, and wherein the security check unit is configured 
to use the physical address to access at least one security attribute data structure located 
in the memoiy to obtain a security attribute of the selected memoty page, to compare 
information a numerical val -w conveyed by a security attribute of the current instruction 
to infonnation a numerical value conveyed by the security attribute of selected memory 
page, and to produce an output signal dependent upon a result of the comparison; and 

wherein the MMU is configured to access the selected memory page dependent upon the output 

signal. 



12, (Currently Amended) A computer system, comprising: 

a memory for storing data, wherein the data includes instructions; 
a cenn'al processing unit (CPU), comprising: 
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an execution unit operably coupled to the memory, wherein the execution unit is 
configured to fetch instructions firom the memory and to execute the instructions; and 

a memory management unit (MMU) operably coupled to the memory and configured to 
manage the memory, wherein the MMU is configurable to manage the memory such that the 
memory stores the data arranged within a plurality of memory pages, and wherein the MMU 
comprises: 

a security check unit coupled to receive a physical address generated by the 
execution unit during execution of a current instruction, wherein the physical address 
resides within a selected memory page, and wherein the security check unit is cotifigured 
to use the physical address to access at least one security attribute data structure located 
in the memory to obtain a security attribute of the selected memory page, to compare 
information a-numorioal value conveyed by a security attribute of fhe current instruction 
to information a muncrioal value conveyed by the security attribute of selected memory 
page, and to produce an output signal dependent upon a result of the comparison; and 

wherein the MMU is configured to access the selected memory page dependent upon the output 

signal. 

13, (Currently Amended) A memory management unit for managing a memory storing data 
arranged within a plurality of memory pages, the memory management unit comprising: 

a paging unit coupled to the memory and to receive a linear address produced during 
execution of a current instiruction> and configured to use the linear address to produce a physical 
address within a selected memoty page, wherein the paging unit is configured to use the linear 
address to access at least one paged memory data structure located in the memory to obtain 
security attributes of the selected memory page, and wherein the paging unit is configured to 
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produce a fault signal dependent upon the security attributes of the selected memoiy page, and 

wherein the paging unit comprises: 

a security check unit coupled to receive the physical address, and wherein the 
security check unit is configured to use the physical address to access at least one security 
attribute data structure located in the memory to obtain an additional security attribute of 
the selected memory page, to compare information a-i aumerical - v a l ^je-conveyed by a 
security attribute of the cunent instruction to information a numeripal value conveyed by 
the additional security attribute of selected memory page, and to produce an output signal 
dependent upon a result of the comparison; and 

wh»ein the memoty management imit is configured to access the selected memory page 
dependent upon the output signal. 

14, (Original) The memory management unit as recited in claim 13, wherein the at least one 
security attribute data structure comprises a security attribute table directory and at least one 
security attribute table. 

15. (Original) The memory man^ement unit as recited in claim 14, \rfierein the security 
attribute table directory comprises a plurality of entries, and where each entry of die security 
attribute table directory includes a present bit and a security attribute table base address field, and 
wherein the present bit indicates whether or not a security attribute table corresponding to the 
security attribute table dkectoiy entry is present in the memory, and wherein the security 
attribute table base address field is reserved for a base address of the security attribute table 
corresponding to the security attribute table directory entry. 
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16. (Original) The memory management unit as recited in claim 14, wherein the at least one 
security attribute table comprises a plurality of entries, and where each entry of the security 
attribute table includes a security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation of 
an SCID value, and wherein the SCID value is an integer value greater than or equal to 0, and 
wherein the SCID value indicates a security context level of a conresponding memory page. 



17. (Original) The memory management unit as recited in claim 13, wherein the additional 
seciuity attribute of the selected memory page comprises a security context identification (SCID) 
value, and wherein the SCID value is an integer value greater than or equal to 0 and indicates a 
security context level of the selected memory page, 

18. (Original) The memory management unit as recited in claim 13, wherein the security 
attribute of the current instruction comprises a security context identification (SCID) value, and 
wherein the SCID value is an integer value greater than or equal to 0 and indicates a security 
context level of a memory page containing the current instruction. 

19. (Currently Amended) The memory management unit as recited in claim 13, wherein flic 
security check unit is coupled to receive a current privilege level (CPL) of a current task 
including the current institiction, and to produce the ou^ut signal dependent upon: (i) the result 
of the comparison of the information name rioal values conveyed by the security attribute of dte 
current instruction and the security attribute of selected memory page, and (ii) the CPL of the 
current task including the current instruction. 
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20. (Original) The memoiy management unit as recited in claim 13, wherein the physical 
address within the selected memory page includes a base address and an offset, and wherein the 
paging unit is configured to obtain the base address from the at least one paged memory data 
structure. 



21 . {Original) The memory management unit as recited in claim 13, wherein the at least one 
paged memory data stmctiire con^rises a page directory and at least one page table as defined by 
the xS6 processor architecture. 

22. (Original) The memory management unit as recited in claim 13, wherein the security 
attributes of the selected memory page comprise a user/supervisor (U/S) bit and a read/write 
(R/V) bit as defined by the x86 processor architecture, and wherein U/S«0 indicates the selected 
memory page is an operating system memory page and corresponds to a supervisor level of the 
operating system, and wherein U/S=l indicates the selected memory page is a user memoiy page 
and corresponds to a user level of the operating system, and wherein R/W-'O indicates only read 
accesses are allowed to the selected memory page, and wherein R/W^l indicates that both read 
and write accesses are allowed to the selected memory page. 

23. (Cunrently Amended) A memory management unit for managing a memory storing data 
arranged within a plurality of memory pages, the memory management unit comprising: 



during execution of a current instmction residing within a first memory page, wherein the 




a paging unit coupled to the memory and to receive a lineai- address produced 
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paging unit is configured to use the linear address to produce a physical address accessed 
by the current instruction, and wherein the physical address includes a base address of a 
selected memory page and an offset, and wherein the paging unit is configured to access 
at least one paged memory data structvure located in the memory using the linear address 
to obtain the base address and security attributes of the selected memory page* and 
wherein the pagir^ unit is configured to receive a security attribute of the instruction, and 
wherein the paging unit is configured to produce a fault signal dependent upon the 
security attribute of the instruction and the security attributes of the selected memory 
page, and wherein die pagmg unit comprises: 

a security check unit coupled to receive the security attribute of the 
instruction, the security attributes of the selected memory page, and the physical 
address within the selected memory page, and wherein the security check unit is 
configured to use the physical address to access at least one security attribute data 
structure located in the memory to obtain an additional security attribute of the 
selected memory page, to compare information a numerical value c onveyed by a 
security attribute of the current instruction to information a numerical value 
conveyed by the additional security attribute of selected memory page, and to 
produce an output signal dependent upon a result of the comparison; and 
wherein the memory management unit is configured to access the selected memory page 
dependent upon the output signal. 

24. (Original) The memory management unit as recited in claim 23, wherein the at least one 
paged memory data structure comprises a page directory and at least one page table as defined by 
the x86 processor architectiire. 
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25. (Original) The memory management unit as recited in claim 23, wherein the security 
attribute of the current instruction comprises a current privilege level (CPL) of a task including 
the current instruction as defined by the x86 processor architecture. 

26. (Original) The memory management unit as recited in claim 23, wherein the security 
attributes of the selected memory page comprise a user/supervisor (U/S) bit a read/write (RAV) 
bit as defined by the x86 processor architecture, and wherein U/S=0 indicates the selected 
memory page is an operating system raemoiy page and corresponds to a supervisor level of the 
operating system, and wherein U/S-l indicates the selected memory page is a user memory page 
and corresponds to a user level of the operating system, and wherein R/W=0 indicates only read 
accesses are allowed to the selected memory page, and wherein R/W=l indicates that both read 
and write accesses are allowed to the selected memory p^e. 

27. (Original) The memory management unit as recited in claim 23, wherein the additional 
security attribute of the selected memory page comprises a security context identification (SCID) 
value, and wherein the SCID value is an imeger value greater than or equal to 0 and indicates a 
security context level of the selected memory page. 

28. (Original) The memory management unit as recited in claim 23, wherein the securitj' 
attribute of the current instruction comprises a security context identification (SCID) value, and 
wherein the SCID value is an integer value greater than or equal to 0 and indicates a security 
context level of the first memory page containing the cunent instruction. 
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29, (Original) The memory manj^emerrt wiit as recited in claim 23, wherein the at least one 
security attribute data strueiure comprises a security attribute table directory and at least one 
security attribute table, 

30, (Original) The memory management unit as recited in claim 29, wherein the security 
attribute table directory comprises a plurality of entries, and where each entry of the security 
attribute table directory includes a present bit and a security attribute table base address field, and 
wherein the present bit indicates whether or not a security attribute table corresponding to the 
security attribute table diiwtory entry is present in the memory, and wherein the security 
attribute table base address field is reserved for a base address of the security attribute table 
corresponding to the security attribute table directory entry. 

31, (Original) The memory management unit as recited in claim 29, wherein the at least one 
security attribute table comimses a plurality of entries^ and where each entry of the security 
attribute table includes security context identification (SCID) field, and wherein the SCID field 
includes a plurality of bit positions, and wherein the bit positions form a binary representation of 
an SCID value, and wherein the SCID value is an integer value greater than or equal to 0> and 
wherein the SCID value indicates a security context level of a corresponding memory page. 

32, (Cunently Amended) A method for providing access security for a memory used to store 
data arranged within a plurality of memory pages, the method comprising: 
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receiving a linear address produced during execution of an instruction and a security 
attribute of the instruction, wherein the instruction resides in a first memoiy page; 

using the linear address to access at least one paged memoiy data structure located in the 
memory to obtain a base address of a selected memory page and security attributes of the 
selected memory page; 

combining the base address of the selected memory page with an offset to produce a 
physical address within the selected memory page if the seciuity attribute of the instruction and 
the security attributes of the selected nftemory page indicate the access is authorized; 

generating a fault signal if the security attribute of the instruction and the security 
attributes of the selected memory page indicate the access is not authorized; 

accessing at least one security attribute data structure located in the memory using the 
physical address of the selected memory page to obtain an additional security attribute of the first 
memory page and an additional security attribute of the selected memory page; 

comparing information a num e rical value c onveyed by an additional security attribute of 
the first memory p£^e to information a numaricai valu e-conveyed by the additional security 
attribute of selected memory page; and 

accessing the selected memory page dependent upon a result of the comparing of the 
information numerical values conveyed by the security attribute of the first memory page and the 
additional security attribute of selected memory page. 

33, (Original) The method as recited in claim 32, wherein the receiving comprises: 

receiving a linear address produced during execution of an instruction and a security 
attribute of the instruction, wherein the instruction resides in a first memory page, and wherein 
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the security attribute of the instruction comprises a cuvrent privilege level (CPL) of a task 
iiwluding the instruction as defined by the x86 processor architecture. 

34. (Original) Ti\t method as recited in claim 32, vvliercin the using comprises: 

using the linear address to access at least one paged memory data struchjre located in the 
memory to obtain a base address of a selected memory page and security attributes of the 
selected memory page, vdierein the at least one paged memory data structure comprises a page 
directory and at least one page table as defined by the x86 processor architecture. 

35. (Previously Presented) The method as recited in claim 32, wherein the combining 
comprises: 

combining the base address of the selected memory page with an offset to produce a 
physical address within the selected memory page if the security attribute of the instruction and 
the security attributes of the selected memory page indicate the access is authorized, wherein the 
security attributes of the selected memory page comprise a user/st^crvisor (U/S) bit a read/write 
(R/W) bit as defined by the x86 processor architecture, and wherein U/S=0 indicates the selected 
memory page is an opiating system memory page and corresponds to a supervisor level of the 
operating system, and wherein U/S=l indicates the selected memory page is a user memoty page 
and corresponds to a user level of the operating system, and wherein R/W=0 uidicates only read 
accesses are allowed to the selected memory page, and wherein RAV=1 indicates that both read 
and write accesses are allowed to the selected memory page. 

36. (Previously Presented) The method as recited in claim 32, wherein the generating 
comprises: 
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generatmg a fault signal if the security attribute of the instruction and the security 
attributes of the selected memoiy page indicate the access is not authorized, wherein the fault 
signal is a general protection feult (GPF) signal as defined by the x86 processor architecture. 

37. (Previously Presented) The method as recited in claim 32, wherein the accessing 
comprises: 

accessing at least one security attribute data structure located in the memory using the 
physical address of the selected memory page to obtain an additional security attribute of the first 
memory page and an additional security attribute of the selected memory page, wherein the at 
least one security attribute data structure comprises a security attribute table directory and at least 
one security attribute table, and wherein the additional security attribute of the first memory page 
comprises a security context identification (SCID) value of the first memory page, and wherein 
the SCID value of the first memory page is an integer value greater than or equal to 0 and 
indicates a security tontsxt level of the first memory page, and wherein the additional security 
attribute of Hie selected memory page comprises a security context identification (SCID) value of 
the selected memory page, and wherein the SCID value of the selected memory page is an 
integer value greater than or equal to 0 and indicates a security context level of the selected 
memory page. 
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